De-risking incident response with structured exercising

As one CISO recently put it ‘It’s not that I don't have confidence in my team, but major incidents are mini black swan events. It’s the first time they have done some things. This introduces risk.’ 

If incident response can feel chaotic, so can running defensive skills programs to fix this problem. People differ immensely, don’t follow rules and are continually drawn back to the tools to do their day job. 

There are, luckily, a number of strategies which can help reign in all this uncertainty. 

Preparation Prevents Poor Performance 

Regular exercising of defensive teams builds confidence in their ability to respond. This is an approach which has been perfected in areas such as the military and emergency services - who have become adept at leveraging structured approaches which cybersecurity can learn from: 

1. Set clear objectives: The concept of ‘purpose’ is central to military exercising for a reason. With a clear end-state set upfront, teams on the ground are empowered to focus solely on how they achieve an outcome with no distractions. 

Defensive upskilling should reflect this. Not only should each and every drill have clear objectives in terms of teamwork and technical skills, but these should be mapped to risk to help achieve business outcomes. 

2. Run scenario-based drills: Both military and emergency response teams ‘train as they fight’ to prepare for a range of contingencies. Mirroring real-world situations, this forges bonds between personnel and allows them to practice decision-making and process execution under pressure. 

Cyber ranges provide blue teams with a similar, controlled, environment for simulating attacks such as ransomware, data theft or insider threats. These drills provide hands-on experience in identifying, mitigating, and recovering from major incidents, mimicking the stress and uncertainty of live incidents.  

3. Build cohesion through repetition. Military units and first responders thrive on repetition. Regular drills build muscle memory, ensuring actions are automatic when an incident evolves into a crisis. Over time, this fosters trust, coordination, and teamwork. 

For cybersecurity teams, regularly practicing of incident response plans helps refine processes and workflows. When a real attack occurs, the team is already a unit, minimizing confusion and delays. Being notoriously time poor, however, finding an undemanding way of executing on a regular cadence is crucial.   

4. After-action reviews. Military operations and emergency services drills end with a debriefing to identify what went well and what didn’t. This isn’t just about decisions made or skills applied, they’re also about how teams worked together. These after-action reviews are critical for learning and growth.  

Post-exercise reviews of cybersecurity defenders should analyze the team’s performance by identifying gaps in knowledge, teamwork and processes. Using frameworks like MITRE ATT&CK, technical gaps can be pinpointed, with a feedback session to ensure procedural improvements.  

5. Use exercising to mesh individual skills: Military teams hone specialist skills individually, but use exercising to bring these together. For example, a single weapon is taught at a range - but it's just as important that individuals knit these together on the battlefield with communication, leadership and more. 

For cybersecurity teams this means a closer integration between solo technical skills with exercising. Without this, team members respond in silos and can disappear down rabbit holes in situations where time is critical. This creates uncertainty amongst senior teams during an incident. 

Structure should be easy 

The more jaded infosec professional may be rolling their eyes by now as, historically, a cadence of exercising and solo technical skills has been high-cost and heavy lift. 

RangeForce Team Readiness solves this. With easy-to-run quarterly cycles of solo upskilling and team exercising -  structure is automatically built into skills development initiatives. Uncovering and fixing gaps in technical and teamwork skills - the platform also generates clear objectives upfront, runs drills on everything from ransomware to insider threats and reports on soft and technical skills. 

With the stakes high, we allow you to de-risk incident response by embedding structure in defensive team upskilling. Not only does this increase confidence in the skills your team has, but also the way they work together.  To see it for yourself, try a free team exercise here.